From 44dc3c27aacb9fcd8869b5295ebcea47bc05951c Mon Sep 17 00:00:00 2001
From: Jordi Boggiano <j.boggiano@seld.be>
Date: Tue, 27 Oct 2020 15:55:21 +0100
Subject: [PATCH] Try and sign phars on releases, refs #5155

---
 .github/workflows/release.yml | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 7255735d8..8f0ba92ae 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -57,6 +57,27 @@ jobs:
           asset_name: composer.phar
           asset_content_type: application/octet-stream
 
+      - name: Configure GPG key and sign phar
+        run: |
+          mkdir -p ~/.gnupg/
+          chmod 0700 ~/.gnupg/
+          echo "$GPG_SIGNING_KEY" > ~/.gnupg/private.key
+          gpg --import ~/.gnupg/private.key
+          gpg -u contact@packagist.com --detach-sign --output composer.phar.asc composer.phar
+        env:
+          GPG_SIGNING_KEY: |
+            ${{ secrets.GPG_KEY_161DFBE342889F01DDAC4E61CBB3D576F2A0946F }}
+
+      - name: Upload phar signature
+        uses: actions/upload-release-asset@v1
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          upload_url: ${{ steps.create_release.outputs.upload_url }}
+          asset_path: ./composer.phar.asc
+          asset_name: composer.phar.asc
+          asset_content_type: application/octet-stream
+
       # This step requires a secret token with `pull` access to composer/docker. The default
       # secrets.GITHUB_TOKEN is scoped to this repository only which is not sufficient.
       - name: "Open issue @ Docker repository"